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This paper deals with the reachability analysis of {P,A}-Time Petri nets ({P,A}-TPN in short) in the 
context of strong semantics. It investigates the convexity of the union of state classes reached by 
different interleavings of the same set of transitions. In [6|, the authors have considered the T-TPN 
model and its Contracted State Class Graph (CSCG) [7| and shown that this union is not necessarily 
convex. They have however established some sufficient conditions which ensure convexity. This 
paper shows that for the CSCG of {P,A}-TPN, this union is convex and can be computed without 
computing intermediate state classes. These results allow to improve the forward reachability anal- 
ysis by agglomerating, in the same state class, all state classes reached by different interleavings of 
the same set of transitions (abstraction by convex-union). 

1 introduction 

Petri nets are established as a suitable formalism for modeling concurrent and dynamic systems. They are 
used in many fields (computer science, control systems, production systems, etc.). Several extensions 
to time factor have been defined to take into account different features of the system as well as its 
time constraints. The time constraints may be expressed in terms of stochastic delays of transitions 
(stochastic Petri nets), fixed values associated with places or transitions ({P,T}-Timed Petri nets), or 
intervals labeling places, transitions or arcs ({P,T,A}-Time Petri Nets) [TT3 [T3J . For {P,T,A}-Time 
Petri Nets, there are two firing semantics: Weak Time Semantics (WTS) and Strong Time Semantics 
(STS). For both semantics, each enabled transition has an explicit or implicit firing interval derived from 
time constraints associated with places, transitions or arcs of the net. A transition cannot be fired outside 
its firing interval, but in WTS, its firing is not forced when the upper bound of its firing interval is 
reached. Whereas in STS, it must be fired within its firing interval unless it is disabled. The STS is the 
most widely used semantics. There are also multiple-server and single-server semantics. The multiple- 
server semantics allows to handle, at the same time, several time intervals per place (P-TPN), per arc 
(A-TPN) or per transition (T-TPN) whereas it is not allowed in the single-server semantics. 

In lUl, the authors have compared the expressiveness of {P,T,A}-TPN models with strong (X — TPN, 
X £ {P, T,A} and weak semantics ( X - TPN , X € {P, T,A}) (see Figure Q). They have established thafl: 

• For the single-server semantics, bounded {P,T,A}-TPN and safe {P,T,A}-TPN are equally expres- 
sive w.r.t. timed-bisimilarity and then w.r.t. timed language acceptance. 

1 A Petri net is bounded iff the number of tokens in each reachable marking is bounded. It is safe iff the number of tokens in 
each reachable marking cannot exceed one. 
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• T-TPN and P-TPN are incomparable models. 

• A-TPN includes all the other models. 

• The strong semantics includes the weak one for P-TPN and A-TPN, but not for T-TPN. 




Figure 1: Comparison of the expressiveness of {P,T,A}-TPNs given in (H 

The reachability analysis of {P,T,A}-TPN is, in general, based on abstractions preserving properties of 
interest (markings or linear properties). In general, in the abstractions preserving linear properties, we 
distinguish three levels of abstraction. In the first level, states reachable by time progression may be 
either represented or abstracted. In the second level, states reachable by the same sequence of transitions 
independently of their firing times are agglomerated in the same node. In the third level, the agglomer- 
ated states are considered modulo some equivalence relation: the firing domain of the state class graph 
(SCG) [4], the bisimulation relation over the SCG of the contracted state class graph (CSCG) |7 ], the 
approximations of the zone based graph (ZBG) (3). An abstract state is then an equivalence class of 
this relation. Usually, all states within an abstract state share the same marking and the union of their 
time domains is convex and defined as a conjunction of atomic constraint^. From the practical point of 
view, the Difference Bound Matrices (DBMs) are a useful data structure for representing and handling 
efficiently sets of atomic constraints fl]. 

The classical forward reachability analysis consists of computing, on-the-fly, all abstract states that 
are reachable from the initial abstract state. The reachability problem is known to be decidable for 
bounded {P,T,A}-TPN but the reachability analysis suffers from the state explosion problem. For timed 
models, this problem is accentuated by the fact that, in the state space abstraction, a node represents, 
in fact, a finite/infinite set of states (abstract state) and interleavings of concurrent transitions lead, in 
general, to different abstract states. 

To attenuate the state explosion problem, the reachability analysis is usually based on an abstrac- 
tion by inclusion or by convex-union. During the construction of an abstraction, each newly computed 
abstract state is compared with the previously computed ones. In the abstractions by inclusion, two ab- 
stract states, with the same marking, having domains such that one is included in the other are grouped 
into one node. In the abstractions by convex-union, two abstract states, with the same marking, having 
domains such that their union is convex (and then can be represented by a single DBM), are grouped 
into one node. Convex-union abstractions are more compact than inclusion abstractions iflOl . How- 

2 An atomic constraint is of the form x — y < c, x < c or — x < c, where x, y are real valued variables representing clocks or 
delays, c eQU {°°} and Q is the set of rational numbers (for economy of notation, we use operator < even if c = °°). 
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ever, it is known that DBMs are not closed under union and the convex-union test is a very expen- 
sive operation relatively to the test of inclusion ifTOll . The convex-union test of n (with n > 1) abstract 
states GCi = (M,Di),ct2 = (M,D2),-.-(X n = (M,D n ) involves computing the smallest enclosing DBM 
a = (M,D) of their union, the difference between D and D\,D2, ...D n \, and finally checking that this 
difference is included in D n . 

Another interesting reachability analysis approach, proposed in [2] for a CSS-like parallel compo- 
sition of timed automata, consists of computing abstract states in breadth-first manner and at each level 
grouping, in one abstract state, all abstract states reached by different interleavings of the same set of 
concurrent transitions. The authors have shown that this union is convex, and then does not need any test 
of convexity. To use this approach in the context of {P,T,A}-TPN, we need to show that the union of ab- 
stract states reached by different interleavings of the same set of transitions is convex. In [6], the authors 
have shown that for the T-TPN model, this union is not necessarily convex in the SCG and the CSCG. 
This paper shows that for the P-TPN, this union is not necessarily convex in the SCG but is convex in the 
CSCG. Finally, it shows that these results are also valid for the A-TPN model. 

The next section is devoted to the P-TPN model, its semantics, its SCG, its CSCG, and the proof 
that the union of abstract states (i.e., state classes) reached by different interleavings of the same set of 
transitions is not necessarily convex in the SCG but is convex in the CSCG. Moreover, this union can 
be computed directly without computing beforehand intermediate state classes. Section 3 extends the 
results shown in Section 2 to the A-TPN model. Section 4 contains concluding remarks. 

2 P-Time Petri Nets 

In this paper, for reasons of clarity, we consider safe P-Time Petri nets. 
2.1 Definition and behavior 

A P-Time Petri net is a Petri net augmented with time intervals associated with places. Formally, a 
P-TPN is a tuple (P,T, Pre, Post, M Q ,Isp) where: 

1 . P = {p i , . . . , p m } and T = {t\ ,...,t n } are nonempty and finite sets of places and transitions such that 

(pnr = 0), 

2. Pre and Post map each transition to its preset and postset (Pre, Post : T — > 1 P ,Pre(t\) = % C 
P,Post(ti) = t° C P), 

3. Mo is the initial marking (M C P), 

4. Isp is the static residence interval function (Isp : P — > Q + x (Q+ U {°°})), Q + is the set of non- 
negative rational numbers. Isp(pi) specifies the lower | Isp(pi) and the upper t Isp(pi) bounds of 
the static residence interval in place 

Let M C P be a marking and f,- a transition of T. Transition t{ is enabled for M iff all required 
tokens for firing t{ are present in M, i.e., Pre(tj) C M. The firing of f,- from M leads to the marking 
M' = (M - Pre(ti)) Li Post (ti). The set of transitions enabled for M is denoted En(M), i.e., En(M) = 
{ti G T | Pre(tj) C M}. A transition t k £ En(M) is in conflict with t t in M iff Pre(t k ) PiPre(ti) / 0. The 
firing of ti will disable t k . 

In this model, a token may die. A token of place p dies when its interval becomes empty. Dead 
tokens will never be used and are considered as modeling flaws that should be avoided. To detect the 
dead tokens, we add a special transition named Err whose role is limited to die tokens. 
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The P-TPN state is defined as a triplet s = (M, Deadp, Ip), where MCfisa marking, Deadp C M 
is the set of dead tokens in M and Ip is the residence interval function (Ip : M — Deadp — > Q + x (Q + U 
{°°})). The initial state of the P-TPN model is s$ = (Mo,Deadpo,Ipo) where Deadpo = 0, Ipo(pt) = 
Isp(pi), for all pi G Mq. When a token is created in place p,, its residence interval is set to its static 
residence interval Isp(pi). The bounds of this interval decrease synchronously with time, until the token 
of pi is consumed or dies. A transition ? ; can fire iff all its input tokens are available, i.e., the lower 
bounds of their residence intervals have reached 0, but must fire, without any additional delay, if the 
upper bound of, at least, one of its input tokens reaches 0. The firing of a transition takes no time. 

We define the P-TPN semantics as follows: Let s = (M , Deadp, Ip) and s' = (M' ', Deadp 1 ,Ip') be 
two states of a P-TPN, d G M + a nonnegative real number and tf G T a transition of the net. 

- We write s s r , also denoted s + d, iff the state s' is reachable from state s by a time progression 
of d units, i.e., y pi £M -Deadp, d <"[Ip{pi), M' = M, Deadp' = Deadp, and Mpj eM' -Deadp' , 
Ip'(pj) = [Max(0, 1 Ip(pj) — d), y Ipipj) — d). The time progression is allowed while we do not overpass 
residence intervals of all non dead tokens. No token may die by this time progression. 

- We write s A s' iff state s' is immediately reachable from state s by firing transition tf, i.e., Pre(tf) C 
M -Deadp, \/p t G Pre(t f ),\ Ip(pi) = 0, M' = (M -Pre(t f )) UPost(tf), Deadp' = Deadp, and V/?; G 
M' — Deadp', Ip'(pi) = Isp(pi), if pi € Post{tf) and Ip'(pi) = Ip(pi) otherwise. 

- We write s —£ s' iff state s' is immediately reachable from state s by firing transition Err. Transition 
Err is immediately Arable from s if there exists no transition Arable from s and there is, at least, a token 
in M — Deadp s.t. the upper bound of its interval has reached (token to die) i.e., (Vfy G En(M — 
Deadp),3pj G Pre{t k ),^Ip{pj) > 0), (3pi G M - Deadp,^ Ip(pi) = 0), M' = M, Deadp' = DeadpU 
{pj £M-Deadp\^Ip(pj) =0}, and (V>,- GM' -Deadp' \lp\pi) =Ip{pi)). 

According with the above semantics, states from which transition Err is Arable, are timelock stated 
Therefore, transition Err allows to detect timelock states and dead tokens, and also to unblock the time 
progression. 

The P-TPN state space is the timed transition system (5, — >, so), where so is the initial state of the P- 
TPN and 5 = {s \ so A s} is the set of reachable states of the model, A being the reflexive and transitive 
closure of the relation — > defined above. 

A run in the P-TPN state space (S, — >,sq), starting from a state s, is a maximal sequence p = si A 

s\ + d\ A S2 — > , such that s\ = s. By convention, for any state Sj, relation Si A Sj holds. The 

sequence d\t\dih... is called the timed trace of p. The sequence t\t%.... is called the untimed trace of p. 
Runs of the P-TPN are all runs starting from the initial state so- Its timed (resp. untimed) traces are timed 
(resp. untimed) traces of its initial state. 



2.2 The SCG and CSCG of P-TPN 

The SCG of P-TPN is defined in a similar way as the SCG of T-TPN, except that time constraints are 
associated with places, and tokens may die. A SCG state class is defined as a triplet a = (M , Deadp, <p p ) 
where MCP, Deadp C M is the set of dead tokens in M and p is a conjunction of atomic constraintgj 
characterizing the union of the residence intervals of its non dead tokens. Each place pj of M — Deadp 
has a variable denoted p. in (j> p representing the residence delay of its token (i.e., the waiting time before 
its consummation or its death). 



3 A state i is a timelock state iff no progression of time is possible and no transition is Arable from s. 

4 An atomic constraint is of the form x— y < c,x < c, —y < c, where x, y are real valued variables, c £ Q U {°°} and Q is the 
set of rational numbers (for economy of notation, we use operator < even if c = °°). 
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From the practical point of view, (j) p is represented by a Difference Bound Matrix (DBM). The DBM 
of <p p is a square matrix D of order \M — Deadp\ + 1, indexed by variables of <p p and a special variable 
p whose value is fixed at 0. Each entry dij represents the atomic constraint p. — p. < djj. Hence, entries 
dio and doj represent simple atomic constraints p. < d® and — p. < doj, respectively. If there is no upper 
bound on p. — p. with i ^ j, dij is set to oo. Entry da is set to 0. Though the same nonempty domain may 
be represented by different DBMs, they have a unique form called canonical form. The canonical form 
of a DBM is the representation with tightest bounds on all differences between variables, computed by 
propagating the effect of each entry through the DBM. It can be computed in 0(n 3 ), n being the number 
of variables in the DBM, using a shortest path algorithm, like Floyd-Warshall's all-pairs shortest path 
algorithm (H. Canonical forms make operations over DBMs much simpler |3l . 

The initial state class is a® = (Mo,Deadpo,<p p o) where Mq is the initial marking, Deadpo = and 
<t> P o= A i^p(pi)<n<tlsp(pi). 

Pi eM 

Successor state classes are computed using the following firing rule J4|: Let a = (M , Deadp, <p p ) be 
a state class and tf a transition of T. The state class a has a successor by tf (i.e., succ(a,tf) ^ 0) iff 
Pre(tf) CM- Deadp and the following formula is consistent: 

M( A <0). 

p f €Pre(tf ) ,pj EM -Dead p 

This firing condition means that tf is enabled in M — Deadp and there is a state s.t. the residence delay 
of each input token of tf is less or equal to the residence delays of all non dead tokens in M. 
If succ(a,tf) ^ then succ(a,tf) = (M 1 ', Deadp 1 ,<j> p ) is computed as follows: 

1 . M' = (M- Pre(t f ) ) U Post (t f ) ; 

2. Deadp' = Deadp; 

3. Set-to p A( A Pf-Pi^O); 

PfEPre(tf),pjEM-Deadp 

4. Rename, in <j)' p , p in If, for all pf G Pre(tf); 

5. Add constraints: A ilsp{p n )<p —t_f< J [lsp{p n ); 

p„ePost(t f ) ~~" 

6. Replace each variable p. by p. + tf ( m is substitution actualizes delays (old p. = new p. + £/)); 

7. Eliminate by substitution If. 

If tf is Arable then its firing consumes its input tokens and creates a token in each of its output places. 
Step 2) means that no token may die by firing tf. Step 3) isolates states of a from which tf is Arable. 
Note that this firing condition implies that Vpf,p'f G Pre{tf),p = p'^ and then the firing delay tf of tf 
is equal to p Step 4) renames variables associated with tokens consumed by tf in t_ f . Step 5) adds 
constraints of the created tokens. The residence interval of a token created by tf is relative to the firing 
date of tf. Step 6) updates the delays of tokens not used by tf. Step 7) eliminates variable t_f. 

For example, consider the P-TPN shown in Figure 2. a). From its initial SCG state class Ofo = {pi + 
jP2,0, 1 < P l < 3 A 2 < p < 4), transition t\ is Arable from Oq, since 1 < p x < 3 A 2 < p 2 < 4 A 
p y — p 2 < is consistent. The firing of t\ leads to the state class {jpi + ^3,0,0 < p < 3 A p = 1). Its 
formula is derived from the firing condition of t\ from Oq as follows: rename p in t_ t , add the constraint 



5 A formula is consistent iff there is, at least, one tuple of values that satisfies, at once, all constraints of tj). 
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Pi [1,3] P2[2,6] 




a) fi anrf ?2 are independent b) t$ is dependent of t\ and t% 

Figure 2: P-TPNs used to illustrate features of the interleaving in the SCG and the CSCG 
I < P 3 —t_i < 1, replace p 2 and by P 2 +ti an d P 3 +t\, respectively, and finally eliminate by substitution 

t_y. ~ 

The transition Err is Arable from a = {M, Deadp, (j> p ) iff there is no possibility to reach the intervals 
of input places of any enabled transition without overpassing the interval of a non dead token, i.e., 
3pi£M — Deadp, s.t. Vty £ En[M— Deadp), ty p A ( A /J „ — /?.< 0) is not consistent. 

p f £Pre(tf)~ f 

If Err is Arable from a (i.e., succ(a,Err) / 0), its firing leads to the state class a' = succ(a,Err) = 
(M f , Deadp', (j>' p ) where: M' = M, Deadp' = DeadpU {pi € M - Deadp\Mtf G En(M - Deadp), § p A 
( f\ p — p. < 0) is not consistent }, <^ is obtained from (j> p by eliminating by substitution all 

variables associated with places of Deadp' —Deadp (i.e., by putting <p p in canonical form and eliminating 
all variables associated with places of Deadp' — Deadp). 

Let a, a' be two state classes and X € T U {Err} a transition. We write a — > a' iff succ(a,X) ^ 
A a' = succ{a,X). The SCG of the P-TPN is the structure — Ofo) where a is the initial state 
class and = — -> cc} is the set of reachable state classes. 

Note that dead tokens have no effect on the future behavior. Therefore, we can abstract dead tokens 
when we compare state classes. Two state classes a = (M, Deadp, (j) p ) and a' = (M' , Deadp' ,<p' p ) are 
said to be equal iff they have the same set of non dead tokens (i.e., M — Deadp = M' — Deadp') and the 
DBMs of their formulas have the same canonical form (i.e., <p p = 0'). 

In the same way as for the SCG of T-TPN flU, we can prove that the SCG of P-TPN is finite and 
preserves linear properties. 

According to the firing rule given above, simple atomic constraints (i.e., atomic constraints of the 
form p. < c or —p. < c) are not necessary to compute the successor state classes. It follows that all 
classes with the same triangular atomic constraints (i.e., atomic constraints of the form p. — p. < c) have 
the same firing sequences. They can be agglomerated into one node while preserving linear properties 
of the model. This kind of agglomeration has been successfully used in [7] for the SCG of the T-TPN. 

Formally, we define a bisimulation relation, denoted ~, over the SCG of the P-TPN by: Voc = 
(M, Deadp, § p ), a' = (M' , Deadp' ,0') G c £, let D and D' be the DBMs in canonical form of (j) p and 
0', respectively, (M, Deadp, p ) ~ (M' , Deadp' , <j)' p ) iff M — Deadp = M' — Deadp' and Mpi,Pj £ M — 
Deadp, dij = d-j. 

The CSCG of the P-TPN is the quotient graph of the SCG w.r.t. ~. A CSCG state class is an 

equivalence class of ~. It is defined as a triplet j8 = (M , Deadp, y p ), where \f/ p is a conjunction of 

triangular atomic constraints. The initial CSCG state class is jSo = (Mo,Deadpo,Ypo) where Mq is the 

initial marking, Deadpo = and y p o = A P~ P <T I s P{Pi)— i^ s P{Pj)- 

Pi,PjeM ~' ~ J 

The CSCG state classes are computed in the same manner as the SCG state classes, except that step 
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6), of the firing rule given above, is not needed because the substitution of each p. by p.+tf has no effect 
on triangular atomic constraints ((/?. +t_f) ~ (Pj + £./) = Pj ~ Pj)- Steps 6) and 7) are replaced by: Put 
the resulting formula in canonical form and then eliminate all constraints containing y. 

2.3 Interleaving in the P-TPN state class graph 

Note that transition Err, used to detect timelock states and dead tokens, cannot be concurrent to any 
transition of T. So, there is no interleaving between Err and transitions of T. 

Let us first show, by means of a counterexample, that the union of the SCG state classes of a P-TPN, 
reached by different interleavings of the same set of transitions of T, is not generally convex. 

Consider the P-TPN shown in Figure 2.a). From its initial SCG state class Oo = (pi + P2,®, 1 < P 1 < 
3 A 2 < p < 4), sequences ?i?2 and t2h lead respectively to the SCG state classes: 
ai = CP3+/>4,0,O<£ 3 < lAp A = 2A-2<p 3 -p A < -1) and 
«2 = (P3 +P4,®,P 3 =lAl<p 4 <2A-l<p 3 -p A <0). 
The union of domains of (X\ and 0:2 is obviously not convex. 

Consider now the CSCG of the same net. From its initial CSCG state class ft) = (pi + Pi,®, —3 < 
p y — P 2 < 1), sequences t\t2 and t^h lead to the CSCG state classes: 

ft = (>3 +P4,0, -2 < p 3 -p A < -1) and ft = O3 +P4,0,-1 < P 3 - P 4 < 0), respectively. 
The union of domains of ft and ft is convex (— 2 < /? — p < 0). 

We will show, in the following, that this result is always valid for the union of all the CSCG state 
classes reached by different interleavings of the same set of transitions. Let us first establish the firing 
condition of a sequence of concurrent transitions. 

Proposition 1 Let j8 = (M ,Deadp, \jf p ) be a CSCG state class, and T m CT a set of transitions enabled 
and not in conflict in M — Dead p, £l(T m ) the set of all interleavings of transitions ofT m and (Q = t\t2---t m £L 
Q.{T m ). The successor of fi by ft) is non empty (i.e., succ(fi,(o) ^ ®)^iff the following formula, denoted 
(p p , is consistent: 

Yp /\Li<L 2 <-<Lm A 
A I A & = £/ A A */-£ y <0A 

/6[l,m] pjePre(tf) pje(M-Deadp)- (J Pre(ti) 

'£[!,/[ 

A U-in^ A A llsp(p n )<pf-t_ f <tlsp(pn) } 

ke[i,f[,p n ePost(t k ) p„ePost{t f ) 

Proof 1 By assumption, all transitions of T m are not in conflict (i.e., Vf,- , f/ € T m s.t. ti 7^ t[, Pre(ti) D 
Pre(t[) = 0J. The firing condition of the sequence t\t2...t m from a adds to Yp the firing constraints of 
transitions of the sequence (for f £ [l,m]). We add for each transition tf of the sequence, a variable, 
denoted t_p representing its firing delay. The added constraints consist of five blocks. The first block fixes 
the firing order of transitions of T m . The second block means that the residence delays of tokens used 
by each transition tf must be equal to t_t. The third and the fourth blocks mean that the firing delay t_f 
is less or equal to the residence delays of tokens that are present (and not dead) when tf is fired (i.e., 

Pj € (M — Deadp) — (J Pre(fi) and p n G (J Postif^)). The fifth block of constraints specifies the 

/e[l,/[ ke[lj{ 

residence delays of tokens created by tf (i.e., p n € Post(tf)). Note that denotes the residence delay of 
the token p n created by tf. 



6 succ(f},a>) is the set of all states reachable from any state of j5 by a timed run supporting CO. 
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As an example, consider the P-TPN shown in Figure 2.b) and its initial CSCG state class j8o = 
(pi + p2,®,— 5 < p — P 2 < 1)- The firing condition (p p \ of the sequence t\ti is computed as follows: 

1) Set (p pl to -5 <£j -p 2 < 1; 

2) Add variables t_ x and £ 2 and the constraint t_ x <t_ 2 ; 

3) Add constraints specifying the firing delays of t\ and t 2 : t_\ = p^ A t_ 2 = p 2 ; 

4) Add constraints of tokens created by t\ : 1 < p 3 — 1_ { < 5 A < p^ — 1 1 < 2; 

5) Add constraints specifying that the firing delay of t 2 is less or equal to the residence delays of the 
tokens created by t\ : t_ 2 < p^ A t_ 2 < p 5 . 

6) Add constraints of tokens created by t 2 : 4 < p 4 — 1_ 2 < 4 A < p 6 — 1_ 2 < 2 
Then: <p pl = (-5 < p { - p 2 < 1) A {t_ x = ^ A t_ 2 = p 2 ) A < t_ 2 ) A 

(h<P 3 A h<p $ ) A (1 <£3-£i <5 A 0<p 5 - tl <2) A (4<p 4 -f 2 <4A0<p r / 2 <2) 

In the same manner, we obtain the firing condition (p p2 of the sequence t 2 t\ from j3 : 
<P P 2= (—5 < ^ : — ^ 2 < 1) A (t_ x =p_ x M_ 2 =p_ 2 ) A A 

(L i < £ 4 A t_ { < p 6 ) A (4<p 4 -( 2 <4A0<£ 6 -( 2 <2) A (1 < £ 3 -fj < 5 A < ^ -fj < 2) 

Since <p p i =4> f j < /? 4 A t_ Y < p 6 and (p P 2 ^L 2 < p 3 A t_ 2 < p 5 , it follows that: 
<P P 1 V <Pp 2 = (-5 < p x < 1) A (fj = £~A f 2 = £ 2 ) A 

ill < P 3 A £ 2 < £5) A (£j < p 4 A fj < £g) A 
(4<p A -t_ 2 <4 A 0<£ 6 -f 2 <2) A (1 < £ 3 — < 5 A < p 5 — ?j < 2) 

Formula <p p i V (p p2 is the firing condition of t\ and ?2 from j8o, in any order. Its domain is convex 
(representable by a single DBM). The following theorem (TheoremfTJ) establishes that this result is valid 
for any set of transitions of T not in conflict and Arable from a CSCG state class. The proof of this 
theorem follows the same ideas as those used in the previous example to show that (p p \ V (p p2 can be 
rewritten as a conjunction of atomic constraints. 

Theorem 1 Let j8 = (M, Deadp, y p ) be a CSCG state class and T m QT a set of transitions firable from 
j6 and not in conflict in j8. 

Then \J succ([5,(o) 7^ and \J succ(p , ft)) is a state class /3' = (M' ,Deadp' ,y' p ) where M' = 

coe£l(T m ) (D€Q(T m ) 
(M — |J Pre{tf)) + |J Post{tf), Deadp' = Deadp and \jf p is a conjunction of triangular atomic con- 

straints that can be computed as follows: 

• set y p to 

Vp A /\ [ /\ P i = t f A A l Is P(Pn)<El-tf<tIsp(Pn) A 

/e[l,m] PiePre(t f ) p„ePost(t f ) 

A t f -Pj<o a A t f -£<o] 

Pj€(M-Deadp)- [j Pre{t t ) ke[l,m],p n €Post(t k ) 
;e[l,m] 

• Put Y p in canonical form, then eliminate variables t_y,t_ 2 ,...,t_ m and variables associated with their 
input places. 

• Rename each variable pf,s.t. p n E Post(tf) and f € [l,m], in p . 
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Proof 2 If transitions ofT m are all firable from j3 and not in conflict then the firing of one of them cannot 

disable the others. So, all sequences of£l(T m ) are firable from /3. Then: \J succ([5,(o) 7^0. Let us 

meO.(T m ) 

first rewrite the firing condition (p p , given in Proposition^ of the sequence ft) = t\t2-—t m , so as to isolate 
the part that is independent from the firing order. In other words, let us show that: (p p = 

W P A h <t_ 2 < ...<t_ m A 

A [ A Ei = l -f A A l IsPiPn) <pf-L f <t lsp{Pn) A 
/e[l,m] pi£Pre(tf) p„ePost(t f ) 

A L f -Pj<^ A t f -Pl<o] 

Pj€{M-Deadp)- (J Pre{ti) ke[i,m],p„ePost(t k ) 
;e[i,m] 

Consider the following sub-formula, denoted (f)\, of (p p : 

h < t2- < hn A A t A Ei = U A A I Is P(P") ^ PL ~ U ~ t Is P(Pn)] 

fe[l,m] Pi ePre(t f ) p„ePost(t f ) 

This formula implies that: (1) V/ € [l,m],V/ € [/,m],fy < tj. 

(2) V/ € [l,m],VZ G [f,m\yPj G ^feU/ < £/ = 

/e[l,m],p ; e U P^fe) 3 

l£{f,m] 

(3) V/6 [l,m],V/ 6 [f,m]^Pn £ Post(ti), t_ f <t u < pK 
Then: (3')q>i=> A £./ - £^ < 0. 

/£ [ 1 ,m] ,/e [/>] ,p„ ePorf 0/ ) ~" 

Consider now the following sub-formula, denoted (fe, of(p p : 

A tf-Pj<Q 

f€[\,m],pj€(M-Deadp)- \J Prefa) 
'£[!./[ 

From (2'), it follows that constraints (2) are redundant in the part q>2 of (p p and then can be eliminated 
from the part q>2 of (p, without altering the domain of (p p : 

A t f -Pj<o 

f€[\,m],pje{M-Deadp)- \J Pre(t,) 

ie[l,m[ 

Let <p 3 be the following part ofcp: 

A t f -pl<o 

fe[l.m}Jelhf[.p n ePost(ti) 

From (3'), it follows that constraints (3) are redundant in the part (p\ of (p p and then can be added to the 
part (JO3 of (p p , without altering the domain of (p p : 

A tf-EL^° 

fe [1 ,m] ,le [1 ,m] ,p n ePost(u ) 

Therefore, (p p = 

Y P A fj <t_ 2 < ...<t_ m A 
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At A Pi =t -f A A ± Is p(pn) <pf-tf<tisp(p„) A 

fe[l,m] p t ePre(tf) p„ePost(t f ) 

A tf-ij<° a A */-i£<°] 

PjE{M-Deadp)- \J Pre(t t ) ke[\,m\,p n ePost(t k ) 
le[l,m] 

We have rewritten the firing condition of the sequence t\t%...t m so as to isolate the part ?j <t 2 --- — hn 
fixing the firing order from the other part, which is independent of the firing order. It follows that the 
firing condition of transitions of T m in any order, denoted §L, is: 

Vp A A I A Si=tf A A l*<*P(Pn) <Pl-tf<^Isp{Pn) A 

fe[l,m] Pi ePre{t f ) p„ePost(t f ) 

A t f -Pj<0 a A t f -£<o] 

Pj&(M-Deadp)- [j Pre(ti) ke[l,m],p„ePost(t k ) 
le[i,m] 

To obtain the formula off}', it suffices to put ty' p in canonical form and then eliminates variables associ- 
ated with transitions of T m and their input places. 

Theorem[T]is also valid for unsafe P-TPNs in the context of multiple-server semantics. The proof of 
this claim is similar, except that markings, presets and postsets of transitions are multisets over places. 
In this case, a variable is associated with each token (instead of each place). Transitions can be multi- 
enabled. Each enabling instance of a transition is defined as a couple composed by the name of the 
transition and the multiset of tokens participating in its enabling. Its firing delay depends on time con- 
straints of its tokens. A variable is associated with each enabling instance of the same transition. In the 
next section, we will extend the result established in Theorem Q] to the A-TPN model. 

3 A-Time Petri Nets 

The A-TPN model is the most powerful model in the class of {P,T,A}-TPN HI. Like in P-TPN, A-TPN 
uses the notion of availability intervals of tokens but each token of a place p has an availability interval 
per output arc of p, whereas, in P-TPN, each token has only one availability interval. As for P-TPN, we 
consider, in the following, safe A-TPN. 

Formally, A-TPN is a tuple (P,T,Pre,Post,Mo,Isa) where: 

1. P,T, Pre, Post and M are defined as for P-TPN, 

2. Let/i? = {(pi,tj) G P x T\pi € Pre(tj)} be the set of input arcs of all transitions. Isa : IE — > Q + x 
(Q + U{°°}) is the static availability interval function. Isa(pi,tj) specifies the lower llsa(pj,tj) 
and the upper t Isa(pi,tj) bounds of the static availability interval of tokens of pi for tj. 

Since, in A-TPN, intervals are associated with arcs connecting places to transitions, the notion of 
dead tokens of the P-TPN model is replaced by dead arcs. If a place pi is marked and connected to a 
transition tj, the arc (pi,tj) will die if the residence time of the token of p\ overpasses the availability 
interval of the arc (pi,tj). To detect dead arcs, we use the special transition Err, as for the P-TPN model. 

Let EE(M) = {(pi,tj) GMxT \ pj e Pre(tj)} be the set of enabled arcs in M. The A-TPN state is 
defined as a triplet (M,Deada,Ia), where M C P is a marking, Deada C EE(M) is the set of dead arcs 
in EE(M) and la is the interval function {la : EE(M) — Deada — > Q + x (Q + U {°°})) which associates 
with each enabled and non dead arc an availability interval. The initial state of the A-TPN model is 
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so = (Mo, Deadao, I do) where Deadao = 0, Iao(pi,tj) = Isa(pt,tj), for all (pt,tj) G EE (Mo). When a 
token is created in place pi, the availability interval of each output arc (pi,tj) is set to its static interval 
Isa(pi,tj) and then decreases, synchronously with time, until the token within pi is consumed or the 
arc dies. A transition tf can fire iff all its input arcs are not dead and have reached their availability 
intervals, i.e., the lower bounds of the intervals of its input arcs have reached 0. But, it must fire, without 
any additional delay, if the upper bound of, at least, one of its input arcs has reached 0. The firing of a 
transition takes no time. 

The A-TPN state space is the timed transition system (5,— Mo)> where so is the initial state of the A- 
TPN and S = {s \ so A s} is the set of reachable states of the model, A being the reflexive and transitive 
closure of the relation — > defined as follows. 

Let s = (M,Deada,Ia),s' = (M 1 ,Deada' ,Ia') be two A-TPN states, d eR + ,t f eT, 

- s 4> s', iff V(pi,tj) G EE(M) -Deada, d < \Ia(pt,tj), M' = M, Deada' = Deada and \/(p k ,t{) G 
EE(M r )—Deada',Ia / (pi ( ,ti) = [Max(lla(p k ,ti) — d,0),t Ia(p k ,ti) —d\. The time progression is allowed 
while we do not overpass intervals of all non dead arcs of EE(M'). 

- s — > s' iff state s' is immediately reachable from state s by firing transition tf, i.e., Pre(tf) x {tf} C 
EE(M) -Deada, V/? ; - G Pre(t f ),i Ia(pi,tf) = 0, M' = (M — Pre(tf)) U Post(tf), Deada' = Deada- 
(Pre(t f ) x T), andV(p fe ,f/) e EE(M')- Deada', la' (p k ,t t ) =Isa(p k ,t t ), if p k ePost(t f ) mdla'(p k ,ti) = 
Ia(pk,ti) otherwise. It means that all input arcs of tf are enabled, not dead and have reached their 
availability intervals. The firing of tf consumes tokens of its input places and produces tokens in its 
output places (one token per output place). The consumed tokens and their output arcs are removed. The 
produced tokens are added to the marking. The availability intervals of their output arcs are set to their 
static availability intervals. 

- s —> s' iff state s' is immediately reachable from state s by firing transition Err. Transition Err 
is immediately Arable from s if there no transition of T Arable from s and there is at least an arc in 
EE(M) — Deada s.t. the upper bound of its interval has reached i.e., (V?,t G T s.t. Pre(tk) x {t^} C 
EE(M)-Deada,3pj ePre(t k ),iIa(pj,t k ) > 0), (3 (/?,-,*/) G EE(M) - Deada,\ Ia(pi,t t ) = 0),M' = M, 
Deada' = Deada U {(pj,ti) G EE (M) — Deada \ | la (pj ,ti)) = 0}, and (V(pi,tj) G EE(M') - Deada', 
Ia'(pi,tj) =Ia(pi.tj)). 

3.1 The CSCG of the A-TPN 

The definition of the CSCG of the P-TPN is extended to the A-TPN by replacing the notion of dead 
tokens by dead arcs and constraints on availability of tokens by those of arcs. The CSCG state class of 
A-TPN is defined as a triplet y = (M, Deada, <j) a ) where M C P is a marking, Deada C EE(M) is the set 
of dead arcs in EE(M) and (j) a is a conjunction of triangular atomic constraints over variables associated 
with non dead arcs of EE(M). Each arc (pi,tj) of (EE(M) —Deada) has a variable, denoted pt.. in (j) a , 
representing its availability interval. 

The initial CSCG state class is: y = (Mq, Deadao, Wao) where Mq C P is the initial marking, Deadao = 
0and Ya0= A /*••- <t Isa(pi,tj) - llsa(p k ,ti). 

{ Pi ,tj )EEE{M ),{p k ,t,) EEE (M ) 

Successor state classes are computed using the following firing rule: Let 7= (M, Deada, Xj/ a ) be a 
state class and tf a transition of T. The state class 7 has a successor by tf (i.e., succ(y,tf) 7^ 0) iff 
Pre(tf) x {tf} C EE(M) — Deada and the following formula is consistent: 

v«a( A Eif^Ejk) 

PiePre(t f ), (pj ,t k )e EE (M) -Deada 
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This firing condition means that tf is enabled in M, its input arcs are not dead, and there is a state s.t. the 
input arcs of tf will reach their intervals before overpassing intervals of all non dead arcs in EE(M). 
If succ(y,tf) ^ then succ(y,tf) = (M' , Deada' ,y' a ) is computed as follows: 

1. M' = (M -Pre(tf))\JPost(t f ); 

1. Deada' = Deada — (Pre(tf) x T) 

3. Set y/^ to y/ a A( /\ P^t^En)* 

PjEPre(t f ),(pj,t k )eEE(M)-Deada 

4. Replace variables pt associated with input arcs of tf by t_f\ 

5. Add constraints f\ jlsa(p n ,ti) < pt — £/ < ^ Isa{p n ,ti); 

p n ePost(t f ),t,ep° 

6. Put \j/ a in canonical form and then eliminate tf. 

If tf is Arable then its firing consumes its input tokens and creates tokens in its output places (one token 
per output place). The consumed tokens and their output arcs are eliminated. Step 3) isolates states 
of 7 from which tf is Arable (i.e., states where input arcs of tf reach their availability interval before 
overpassing the availability intervals of all non dead enabled arcs). This step implies that for all pj € 
Pre(tf),pt = pt . Step 4) replaces all these equal variables by t_f. Steps 5) adds the time constraints 
of the created tokens. Step 6) puts \j/' a in canonical form before eliminating variable tf. 

3.2 Interleaving in the CSCG of A-TPN 

The following theorem extends, to A-TPN, the result established in Theorem [TJ 

Theorem 2 Let y = (M, Deada, yfa) be a CSCG state class and T m QT a set of transitions firable from 
7 and not in conflict in y. 

Then (J succ(y,co) ^ and [j succ(y,co) is a state class / = [M 1 , Deada' where M' = 

(oeQ.{T m ) coe£i{T m ) 

(M — (J Pre(tf)) U U Post(tf), Deada' = Deada — ( |J Pre{tf) x T) and \\f' a is a conjunction of 

t f eT„, t f £T„, t f ET„, 

triangular atomic constraints that can be computed as follows: 

• Set \j/' a to 

V" A A [ A Ei f = t -f A A ilsa{p n ,ti) <pf,-t f <flsa(p n ,ti) A 

/e[l,m] Pi ePre(t f ) P „ePost{t f ),t,ep° 

A -/ — Ejk — o a A i/-i<°] 

(pj.t k )e(EE(M)-Deada)- |J Pre(ti)xT ke[l,m],p n ePost(t k )fyep° 

/£[l,ra] 

• Put x/q in canonical form, then eliminate variables /j ,/ 2! ■■■itm an d variables associated with their 
input places. 

• Rename each variable p^^sJ. p n £ Post(tf),t[ € p° and f € [l,m], in p . 

Proof 3 We first extend the firing condition of a sequence CO = t\t2--t n of Q.(T m ) given in Proposition 
\I\to the case of A-TPN. (0 is firable from y (i.e., succ([5,(o)) iff the following formula, denoted (p a is 
consistent: 

¥a A h <t_ 2 < ...<£,„ A 
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A [ A Ei f =tf A A ^/-^< 0A 

/e[l,m] pi<EPre(t f ) (pj,t k )e(EE(M)-Deado)- \J (Pre(ti)xT) 

'£[!•/[ 

A A A ilsaipn^Kp^-tfKtlsaip^ti)] 

ke [l,f[,p„ ePost(t k ) ,t,ep° p„ ePost(t f ).t,ep° n 

The firing condition of the sequence t\t2---t m from J adds to y a f° r each transition tf of the sequence, a 
variable, denoted If, representing its firing delay and five blocks of constraints. The first block fixes the 
firing order of transitions ofT m . The second block means that the residence delays of arcs used by each 
transition tf must be equal to t_f. The third and the fourth blocks mean that the firing delay t_f is less or 
equal to the residence delays of all enabled and non dead arcs present when tf is fired (i.e., (pj,tk) £ 
(EE(M) — Deada) — ( (J Pre{ti) xT) and (p n ,ti) s.t. p n G |J Post (tu) and t[ G p° n ). The fifth block of 

'£[!,/[ ' ke[i,f[ 

constraints specifies the residence delays of arcs enabled by tf (i.e., (p n ,ti) s.t. p n G Post(tf) andti G p° n ). 
The rest of the proof follows the same steps as the proof of Theorem [7] In other words, let us show that 
% = Wa A ?! <t_ 2 < ... <^ A 

A t A Eif = t -f A A <TMp«>'/) A 

/e[l,m] PiePre(t f ) p n ePost{tf),t,ep° 

A L f -P jk <o a A t/-i<°] 

(pj,t k )e(EE(M)~Deada)- U Pre(t t )xT ke[l,m],p„ePost(t k ),tiEp° 
le[l,m] 

Consider the following sub-formula, denoted (f>\, of (p a : 

Li<L 2 -<L m A /\ [ /\ P jf = t_ f A /\ ilsa(p n ,ti) ^^-tfKtlsaipnJi)] 

fe[l,m] Pi ePre(t f ) p„EPost(t f ),t,Ep° 

This formula implies that: (1) V/ 6 [l,m],Vk G \f,tn],tf < tk- 

(2) Vf€[l,m],Vk£ [f, m] , V Pj G Pre(t k ),t_ f <t_ k = p jk . 

Then: (T)^^ A Lf-P ik <°- 

fe[l,m],ke\f,m],pjEPre(t k ) 

(3) V/ G [l,m],V* G \f,m],Vp n G Post(t k ),Vt, £p°,t_f<h< & r 

Then: (3 ')q>i=> A tf ~ /£, < 0- 

/e[l ,m] ,ke \f,m] ,p„ ePost (t k ),i, ep° ~~" 
Consider the following sub-formula, denoted (pi, of (p a : 

A tf-Ejt^ 

fe[l,m]i(PjJk)£(EE(M)-Deada)- U Pre(t,)xT 

'£[!,/[ 

From (2'), it follows that constraints (2) are redundant in the part (p 2 of (p a and then can be eliminated 
from the part q> 2 of q> a , without altering the domain of q> a : 

A tf-ijk^ 

fe[\,m\,{pj,t k )e(EE(M)-Deada)- U Pre(t,)xT 

/e[l,m[ 

Let <J>3 be the following part of (p a : 

A { -f-&<v 

fe [i,m] ,ke[i,f[,p„ ePost(t k ),t, ep% 
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From (3'), it follows that constraints (3) are redundant in the part q>\ of (p a and then can be added to the 
part <jt>3 of (p a , without altering the domain of (p a : 

A ^/-i<o 

/e[l,m] ,ke{l,m],Pn ePost(t k ) ,t,ep° n 
Therefore, % = \\f a A t_ { < t_ 2 < ... < t^ A 

A t A Eif = t -f A A ilsa{p m t k ) <pf k -t_ f <1Isa{p n ,t k ) A 

fe[l,m] Pi ePre{t f ) p„ePost{t f ),t k Ep° 

A Lf-p jk <^ A ^/-i<°] 

(pj,t k )e(EE(M)-Deada)- \J Pre(t,)xT ke[\,m\,p n zPost(t k ),t,ep° 
;e[l,m] 

77je firing condition of transitions of T m in any order, denoted \\f' a , is obtained by eliminating the part 
fixing the firing order. To obtain the formula of /, it suffices to put \y' a in canonical form and then 
eliminate variables associated with transitions of T m and their input places. 

The extension of this result to unsafe A-TPN is straightforward by considering multisets of tokens, 
multisets of enabled arcs, and associating a variable with each instance of multiple enabled arcs. Each 
enabled transition is defined by the name of the transition and a set of enabled arcs. 

Using the translation into A-TPN of the P-TPN shown in Figure 2.a), we prove that the union of 
the SCG state classes of the A-TPN reached by different interleavings of the same set of transitions is 
not necessarily convex^. Indeed, its initial SCG state class (p\ + P2,®, 1 < p£ u <3 A 2< pt 22 < 4), 
sequences t\t2 and ?2^i lead respectively to the SCG state classes: (pi + /?4,0,O < pt^ < 1 A pt 44 = 
2 A - 2 < p£ 33 - p± M < - 1 ) and (p 3 + p 4 , 0, p£ 33 = 1 A 1 < p£ M < 2 A - 1 < pt_ ^ - pt_~< 0) . The~union 
of their domains is not convex. 

4 Conclusion 

In this paper, we have considered the P-TPN and A-TPN models, their SCG and CSCG We have 
investigated the convexity of the union of state classes reached by different interleavings of the same set 
of transitions. We have shown that this union is not convex in the SCG but is convex in the CSCG. This 
result allows to use the reachability analysis approach proposed in f2l, which reduces the redundancy 
caused by the interleaving semantics. 

This result is however not valid for the T-TPN [6], in spite of the fact that A-TPN is the most powerful 
model. This could be explained by the fact that the firing interval of a transition refers to the instant when 
it becomes enabled in T-TPN, whereas, in {P,A}-TPN, it is equal to the intersection of intervals of all 
its input tokens/arcs. In T-TPN, the firing interval can be related to the last transition of a sequence and 
then dependent of the firing order. For example, consider the net shown in Figure 2.b) and suppose that 
intervals attached to places are moved to be attached to their output transitions. The firing of transitions 
t\ and ?2, in any order, will enable transition t^. But, the firing interval of t$ is related to ?2 in t\t2, whereas 
it is related to t\ in t%t\. The union of the CSCG state classes reached by ?i?2 and ^i from the initial state 
class is: (p 3 +P4 + P5+ P6,(-8 <t_3~U< 1 A -6 <t 3 < lA2<£ 4 -£5 <4)V (-3 < Z3 < 
2 A — 1 < ? 3 — 1_ 5 < 5 A 1 < £4 — 1_ 5 < 4)). Its domain is not convex. 

7 The P-TPN is translated into A-TPN by replacing the static residence interval function Isp by Isa defined by: Vp; 6 P, t j 6 

p° i ,Isa(pi,tj)=Isp(p i ). 
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Therefore, A-TPN is more powerful than T-TPN and also more suitable for abstractions by convex- 
union. However, the translation of T-TPN into A-TPN is not easy and needs to add several places 
and transitions (H, which may offset the benefits of abstractions by convex-union. The choice of the 
appropriate {P,T,A}-TPN model for a given problem should be a good compromise between the easiness 
of modeling the problem and the verification complexity. 

As immediate perspective, we will use the results established here and in [ 6 ] to investigate the exten- 
sion, to {P,T,A}-TPN, of the reachability approach proposed in [ 12] for a variant of safe P-TPN. In this 
variant, there are two kinds of places (behaviour and constraint places) and each transition can have at 
most one behaviour place in its preset. A transition is Arable, if the age of its behaviour place reaches its 
static residence interval. It must be fired before overpassing this interval, unless it is disabled. 
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